Hi list!

Since GLSAs are in their current state of disregard, I'm searching for
another way to be informed about security fixes. What do you think is
the best approach here?

Querying bugzilla for recently fixed security bugs like [1]?

Searching for the term 'security bug' or something similar in Changelogs?

Looking at some other web site or distribution and anticipate changes in
in the portage tree?

[1]
https://bugs.gentoo.org/buglist.cgi?list_id=428229;query_format=advanced;c hfield=bug_status;chfieldfrom=2011-06-01;chfieldto=Now;chfieldvalue=RESOLVED;component=S ecurity

Thanks in advance!
Florian Philipp

On Sat, 17 Sep 2011 11:17:56 +0200
Florian Philipp <lists@binarywings.net> wrote:

> Hi list!
>
> Since GLSAs are in their current state of disregard, I'm searching for
> another way to be informed about security fixes. What do you think is
> the best approach here?
>
> Querying bugzilla for recently fixed security bugs like [1]?
>
> Searching for the term 'security bug' or something similar in
> Changelogs?
>
> Looking at some other web site or distribution and anticipate changes
> in in the portage tree?
>
> [1]
> https://bugs.gentoo.org/buglist.cgi?list_id=428229;query_format=advanced;c hfield=bug_status;chfieldfrom=2011-06-01;chfieldto=Now;chfieldvalue=RESOLVED;component=S ecurity

If you just want to be informed out the state of security of packages,
subscribe to the security lists of other distros. I find RedHat and
Fedora to be useful and up to date. If you see something that looks
like you need to take action, find the corresponding Gentoo package and
investigate further.

If you need to be on the cutting edge of security issues, then you need
to be on the various vuln disclosure lists around. But be warned, they
can be noisy and you have to train your brain in what to ignore


--
Alan McKinnnon
alan.mckinnon@gmail.com

Am 17.09.2011 15:13, schrieb Alan McKinnon:
> On Sat, 17 Sep 2011 11:17:56 +0200
> Florian Philipp <lists@binarywings.net> wrote:
>
>> Hi list!
>>
>> Since GLSAs are in their current state of disregard, I'm searching for
>> another way to be informed about security fixes. What do you think is
>> the best approach here?
>>
>> Querying bugzilla for recently fixed security bugs like [1]?
>>
>> Searching for the term 'security bug' or something similar in
>> Changelogs?
>>
>> Looking at some other web site or distribution and anticipate changes
>> in in the portage tree?
>>
>> [1]
>> https://bugs.gentoo.org/buglist.cgi?list_id=428229;query_format=advanced;c hfield=bug_status;chfieldfrom=2011-06-01;chfieldto=Now;chfieldvalue=RESOLVED;component=S ecurity
>
> If you just want to be informed out the state of security of packages,
> subscribe to the security lists of other distros. I find RedHat and
> Fedora to be useful and up to date. If you see something that looks
> like you need to take action, find the corresponding Gentoo package and
> investigate further.
>
> If you need to be on the cutting edge of security issues, then you need
> to be on the various vuln disclosure lists around. But be warned, they
> can be noisy and you have to train your brain in what to ignore
>
>

Thank you for your insight. As a gentoo-specific workaround, I've
written a little (well, not *so* little) bash script that filters the
ChangeLogs of all installed packages for fixed security bugs applied
recently (default: one week).

Regards,
Florian Philipp